3 Banks Process 95% of Spam-Related Payments

Amazingly, the study finds that 95 percent of all spam-related credit card transactions are processed by only three banks, based in Azerbaijan, St. Kitts and Nevis and Latvia. Moreover, spam processors tend to specialize in specific niches. According to the paper:

In particular, most herbal and replica purchases cleared through the same bank in St. Kitts (a by-product of ZedCash’s dominance of this market, as per the previous discussion), while most pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia).

Tellingly, most, but not all, processors are located in places with lax regulation.

‘Most’ Spam Transactions Coded Correctly

The researchers then methodically go over the transaction classification used by the processors of spam payments:

Each payment transaction also includes a standardized “Merchant Category Code” (MCC) indicating the type of goods or services being offered [52]. Interestingly, most affiliate program transactions appear to be coded correctly.

The reason why the scientists find the correct transaction classification interesting is that Visa and MasterCard usually clamp down real hard on banks facilitating such high risk transactions. Of course some processors are trying to disguise the real nature of spam transactions:

[A]nd finally Greenline which is the sole pharmaceutical affiliate program that cleared transactions through a US Bank during our study (completely miscoded as 5732, Electronic Sales, across multiple purchases). The latter two cases suggest that some minor programs with less reliable payment relationships do try to hide the nature of their transactions, but generally speaking, category coding is correct. A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered “laundering” high-risk goods.

There you have it. My educated guess is that it is not the bank who is misbehaving in this instance, but rather a sales agent or an Independent Sales Organization (ISO) whose acquirer is this particular bank. Such organizations solicit merchants for their acquirer who underwrites the merchant account. However, the intermediary is the one who communicates directly with the merchant and may suggest that the latter “adjust” their line of business in the application paperwork to make it easier to approve. Eventually, the bank will find out what is going on and terminate the account. There are just too many things that can go wrong with such a scheme for it to be successful in the long run. Or at least that is the case here in the U.S.

Infrastructure involved in a single URL's value chain, including advertisement, click support and realization steps. Source: UCSD.

The Conclusion: Payment Processing Most Valuable Spam Asset

The researchers consider several options for disrupting the spam ecosystem, including suspending offending domains by the registrar or hosting provider, but conclude that:

[T]he payment tier is by far the most concentrated and valuable asset in the spam ecosystem, and one for which there may be a truly effective intervention through public policy action in Western countries.

More specifically, the paper suggests two policy approaches for cutting off the spam transaction cycle. The first option is for acquirers to terminate offending merchant accounts. However, as the scientists themselves acknowledge, this can be difficult to accomplish, as such merchants register their payment accounts in countries like Azerbaijan for a reason. Still, Visa and MasterCard can easily force member banks to stop processing spam payments.

The second option suggested by the report is to have spam payments rejected by the card issuers. The declines would be triggered by indicators such as specific MCC transaction codes and processing banks (presumably located in places like St. Kitts, Latvia, Azerbaijan, etc.). This approach would be much more difficult to implement than the first one. I just don’t see Visa or MasterCard imposing restrictions on the types of transactions a specific member bank is allowed to participate in. Issuers cannot make such decisions on their own, so if such a black list is to be created, it would have to be the doing of a governmental regulatory agency. Well, spam emails just don’t strike me as the type of issue likely to capture the collective imagination of financial regulators right now. I guess we will have to keep marveling at the incredible Viagra promotions for some time to come.